Lesson 8 C Troubleshoot Workstation Security Issues

Question 1

MALWARE VECTORS

Answer 1

Malware is usually simply defined as software that does something bad, from the perspective of the system owner. The more detailed classification of different malware types helps to identify the likely source and impact of a security incident. Some malware classifications focus on the vector used by the malware. The vector is the method by which the malware executes on a computer and potentially spreads to other network hosts.

Question 2

Types of malware according to vector:

Answer 2

Viruses
Boot sector viruses
Trojans
Worms
Fileless malware

Question 3

Viruses

Answer 3

These are concealed within the code of an executable process image stored as a file on disk. In Windows, executable code has extensions such as .EXE, .MSI, .DLL, .COM, .SCR, and .JAR. When the program file is executed, the virus code is also able to execute with the same privileges as the infected process. The first viruses were explicitly created to infect other files as rapidly as possible. Modern viruses are more likely to use covert methods to take control of the host.

Question 4

Boot sector viruses

Answer 4

These infect the boot sector code or partition table on a disk drive. When the disk is attached to a computer, the virus attempts to hijack the bootloader process to load itself into memory.

Question 5

Trojans

Answer 5

This is malware concealed within an installer package for software that appears to be legitimate. The malware will be installed alongside the program and execute with the same privileges. It might be able to add itself to startup locations so that it always runs when the computer starts or the user signs in. This is referred to as persistence.

Question 6

Worms

Answer 6

These replicate between processes in system memory rather than infecting an executable file stored on disk. Worms can also exploit vulnerable client/server software to spread between hosts in a network.

Question 7

Fileless malware

Answer 7

This refers to malicious code that uses the host’s scripting environment, such as Windows PowerShell or PDF JavaScript, to create new malicious processes in memory. As it may be disguised as script instructions or a document file rather than an executable image file, this type of malware can be harder to detect.

Question 8

Classifying malware by payload is a way of

Answer 8

identifying what type of actions the code performs other than simply replicating or persisting on a host.

Question 9

Backdoors

Answer 9

Modern malware is usually designed to implement some type of backdoor, also referred to as a remote access Trojan (RAT). Once the malware is installed, it allows the threat actor to access the PC, upload/exfiltrate data files, and install additional malware tools. This could allow the attacker to use the computer to widen access to the rest of the network or to add it to a botnet and launch distributed denial of service (DDoS) attacks or mass-mail spam.

Whether a backdoor is used as a standalone intrusion mechanism or to manage bots, the threat actor must establish a connection from the compromised host to a command and control (C2 or C&C) host or network. There are many means of implementing a covert C&C channel to evade detection and filtering. Historically, the Internet relay chat (IRC) protocol was popular. Modern methods are more likely to use command sequences embedded in HTTPS or DNS traffic.

Question 10

Spyware

Answer 10

is malware that can perform browser reconfigurations, such as allowing tracking cookies, changing default search providers, opening arbitrary pages at startup, adding bookmarks, and so on. Spyware might also be able to monitor local application activity, take screenshots, and activate recording devices, such as a microphone or webcam. Another spyware technique is to perform DNS redirection to spoofed sites.

Question 11

keylogger

Answer 11

A keylogger is spyware that actively attempts to steal confidential information by recording keystrokes. The attacker will usually hope to discover passwords or credit card data.

Keyloggers are not only implemented as software. A malicious script can transmit key presses to a third-party website. There are also hardware devices to capture key presses to a modified USB adapter inserted between the keyboard and the port.

Question 12

Rootkits

Answer 12

In Windows, malware can only be manually installed with local administrator privileges. This means the user must be confident enough in the installer package to enter the credentials or accept the User Account Control (UAC) prompt. Additionally, Windows tries to protect the OS files from abuse of administrator privileges. Critical processes run with a higher level of privilege (SYSTEM). Consequently, Trojans installed in the same way as regular software cannot conceal their presence entirely and will show up as a running process or service. Often the process image name is configured to be similar to a genuine executable or library to avoid detection. For example, a Trojan may use the filename “run32d11” to masquerade as “run32dll”. To ensure persistence, the Trojan may have to use a registry entry or create itself as a service. All these techniques are relatively easy to detect and remediate.

If the malware can be delivered as the payload for an exploit of a severe vulnerability, it may be able to execute without requiring any authorization using SYSTEM privileges. Alternatively, the malware may be able to use an exploit to escalate privileges after installation. Malware running with this level of privilege is referred to as a rootkit . The term derives from UNIX/Linux where any process running as root has unrestricted access to everything from the root of the file system down.

In theory, there is nothing about the system that a rootkit could not change. In practice, Windows uses other mechanisms to prevent misuse of kernel processes, such as code signing (microsoft.com/security/blog/2017/10/23/hardening-the-system-and-maintaining-integrity-with-windows-defender-system-guard). Consequently, what a rootkit can do depends largely on adversary capability and level of effort. When dealing with a rootkit, you should be aware that there is the possibility that it can compromise system files and programming interfaces so that local shell processes, such as Explorer or Task Manager on Windows, ps or top on Linux, and port-listening tools ( netstat, for example), no longer reveal their presence (when run from the infected machine, that is). A rootkit may also contain tools for cleaning system logs, further concealing its presence.

Question 13

Ransomware

Answer 13

is a type of malware that tries to extort money from the victim. One class of ransomware will display threatening messages, such as requiring Windows to be reactivated or suggesting that the computer has been locked by the police because it was used to view child pornography or for terrorism. This may apparently block access to the file system by installing a different shell program, but this sort of attack is usually relatively simple to fix.

Crypto-ransomware attempts to encrypt files on any fixed, removable, and network drives. If the attack is successful, the user will be unable to access the files without obtaining the private encryption key, which is held by the attacker. If successful, this sort of attack is extremely difficult to mitigate unless the user has up-to-date backups. One example of crypto-ransomware is Cryptolocker, a Trojan that searches for files to encrypt and then prompts the victim to pay a sum of money before a certain countdown time, after which the malware destroys the key that allows the decryption.

Ransomware uses payment methods such as wire transfer, cryptocurrency, or premium-rate phone lines to allow the attacker to extort money without revealing his or her identity or being traced by local law enforcement.

Question 14

cryptominer

Answer 14

A cryptominer hijacks the resources of the host to perform cryptocurrency mining. This is also referred to as cryptojacking. Commonly, such as Bitcoin, the total number of coins within a cryptocurrency is limited by the difficulty of performing the blockchain calculations necessary to generate a new digital coin. Consequently, new coins can be very valuable, but it takes enormous computing resources to achieve them. Cryptomining is often performed across botnets.

Question 15

The multiple classifications for malware vectors and payloads mean

Answer 15

that there can be very many different symptoms of security issues. In very general terms, any sort of activity or configuration change that was not initiated by the user is a good reason to suspect malware infection.

Question 16

Performance Symptoms

Answer 16

When the computer is slow or “behaving oddly,” one of the things you should suspect is malware infection. Some specific symptoms associated with malware include:

• The computer fails to boot or experiences lockups.
• Performance at startup or in general is very slow.
• The host cannot access the network and/or Internet access or network performance is slow.
  The problem here is that performance issues could have a wide variety of other causes. If you identify these symptoms, run an antivirus scan. If this is negative but you cannot diagnose another cause, consider quarantining the system or at least putting it under close monitoring.

Question 17

Application Crashes and Service Problems

Answer 17

One of the key indicators of malware infection is that security-related applications, such as antivirus, firewall, and Windows Update, stop working. You might notice that OS updates and virus definition updates fail. You might also notice that applications or Windows tools (Task Manager, for instance) stop working or crash frequently.

Software other than Windows is often equally attractive for malware writers as not all companies are diligent in terms of secure coding. Software that uses browser plug-ins is often targeted; examples include Adobe’s Reader software for PDFs and Flash Player. If software from a reputable vendor starts crashing (faulting) repeatedly, suspect malware infection and apply quarantining/monitoring procedures.

Question 18

File System Errors and Anomalies

Answer 18

Another marker for malware infection is changes to system files and/or file permissions. Symptoms of security issues in the file system include the following:

• Missing or renamed files.
• Additional executable files with names similar to those of authentic system files and utilities, such as scvhost.exe or ta5kmgr.exe.
• Altered system files or personal files with date stamps and file sizes that are different from known-good versions.
• Files with changed permissions attributes, resulting in “Access Denied” errors.
  These sorts of issues are less likely to have other causes so you should quarantine the system and investigate it closely.

Question 19

Desktop Alerts and Notifications

Answer 19

While there are some critical exploits that allow malicious code to execute without authorization, to infect a fully patched host malware usually requires the user to explicitly install the product and confirm the UAC consent prompt. However, the malware may be able to generate something that looks like a Windows notification without being fully installed. One technique is to misuse the push notification system that allows a website to send messages to a device or app. The notification will be designed to trick or frighten the user into installing the malware by displaying a fake virus alert, for example. A notification may also link to a site that has a high chance of performing a drive-by download on an unpatched host.

Question 20

Rogue antivirus

Answer 20

is a particularly popular way to disguise a Trojan. In the early versions of this attack, a website would display a pop-up disguised as a normal Windows dialog box with a fake security alert, warning the user that viruses have been detected. As browsers and security software have moved to block this vector, cold-calling vulnerable users, then claiming to represent Microsoft support or the user’s ISP and asking them to enable a remote desktop tool has become a popular attack.

Question 21

Malware often targets

Answer 21

the web browser. Common symptoms of infection by spyware or adware are random or frequent pop-ups, installation of additional toolbars, a sudden change of home page or search provider, searches returning results that are different from other computers, slow performance, and excessive crashing. Viruses and Trojans may spawn pop-ups without the user opening the browser.

Question 22

Redirection

Answer 22

Redirection is where the user tries to open one page but gets sent to another. Often this may imitate the target page. In adware, this is just a blunt means of driving traffic through a site, but spyware may exploit it to capture authentication details.

Redirection may occur when entering URL web addresses manually or when performing searches. If a user experiences redirection, check the HOSTS file for malicious entries. HOSTS is a legacy means of mapping domain names to IP addresses and is a popular target for malware. Also verify which DNS servers the client is configured to use. Compare the search results returned by a suspect machine with those from a known-good workstation.

Question 23

Certificate Warnings

Answer 23

When you browse a site using a certificate, the browser displays the information about the certificate in the address bar. If the certificate is untrusted or otherwise invalid, the padlock icon is replaced by an alert icon, the URL is displayed with strikethrough formatting, and the site content is likely to be blocked by a warning message.

Question 24

causes of certificate warnings:

Answer 24

most common are:

• The certificate is self-signed or issued by a CA that is not trusted.
• The FQDN requested by the browser is different from the subject name listed in the certificate.
• The certificate has expired or is listed as revoked.

Each of these warnings could either indicate that the site is misconfigured or that some malware on the computer is attempting to redirect the browser to a spoofed page. Analyze the certificate information and the URL to determine the likely cause.

Question 25

Improper use of certificates is also an indicator for a type of on-path attack by a malicious proxy:

Answer 25

1. A user requests a connection to a secure site and inspects the site’s certificate.
2. Malware on the host or some type of evil-twin access point intercepts this request and presents its own spoofed certificate to the user/browser. Depending on the sophistication of the attack, this spoof certificate may or may not produce a browser warning. If the malware is able to compromise the trusted root certificate store, there will be no warning.
3. If the browser accepts this certificate or the user overrides a warning, the malware implements a proxy and forwards the request to the site, establishing a session.
4. The user may think he or she has a secure connection to the site, but in fact the malware is in the middle of the session and is able to intercept and modify all the traffic that would normally be encrypted.

Question 26

CompTIA has identified a seven-step best practice procedure for malware removal:

Answer 26

1. Investigate and verify malware symptoms.
2. Quarantine infected systems.
3. Disable System Restore in Windows.
4. Remediate infected systems:
   - Update anti-malware software.
   - Scanning and removal techniques (e.g., safe mode, preinstallation environment).
5. Schedule scans and run updates.
6. Enable System Restore and create a restore point in Windows.
7. Educate the end user.

Most malware is discovered via on-access scanning by an antivirus product. If the malware is sophisticated enough to evade automated detection, the symptoms listed above may lead you to suspect infection.

Antivirus vendors maintain malware encyclopedias (“bestiaries”) with complete information about the type, symptoms, purpose, and removal of viruses, worms, Trojans, and rootkits. These sources can be used to verify the symptoms that you discover on a local system against known malware indicators and behaviors.

Question 27

Following the seven-step procedure, if symptoms of a malware infection are detected and verified, the next steps should be…

Answer 27

to apply a quarantine and disable System Restore.

Question 28

If a system is “under suspicion,”

Answer 28

do not allow users with administrative privileges to sign in—either locally or remotely—until it is quarantined. This reduces the risk that malware could compromise a privileged account.

Question 29

Putting a host in quarantine means

Answer 29

that it is not able to communicate on the main network. Malware such as worms propagate over networks. A threat actor might use backdoor malware to attempt to access other systems. This means that one of the first actions should be to disconnect the network link. Move the infected system to a physically or logically secure segment or sandbox. To remediate the system, you might need network access to tools and resources, but you cannot risk infecting the production network.

Also consider identifying and scanning any removable media that has been attached to the computer. If the virus was introduced via USB stick, you need to find it and remove it from use. Viruses could also have infected files on any removable media attached to the system while it was infected.

Question 30

Disable System Restore

Answer 30

Once the infected system is isolated, the next step is to disable System Restore and other automated backup systems, such as File History. If you are relying on a backup to recover files infected by malware, you must consider the possibility that the backups are infected too. The safest option is to delete old system restore points and backup copies, but if you need to retain them, try to use antivirus software to determine whether they are infected.

Question 31

The main tool to use to try to remediate an infected system will be

Answer 31

antivirus software, though if the software has not detected the virus in the first place, you are likely to have to use a different suite. Make sure the antivirus software is fully updated before proceeding. This may be difficult if the system is infected, however. It may be necessary to remove the disk and scan it from a different system.
While there were differences in the past, the terms antivirus and anti-malware are synonymous. Almost every antivirus product protects against a broad range of virus, worm, fileless malware, Trojan, rootkit, ransomware, spyware, and cryptominer threats.

If a file is infected with a virus, you can (hopefully) use antivirus software to try to remove the infection (cleaning), quarantine the file (the antivirus software blocks any attempt to open it), or erase the file. You might also choose to ignore a reported threat if it is a false positive, for instance. You can configure the default action that software should attempt when it discovers malware as part of a scan.

Question 32

Recovery Mode

Answer 32

Infection by advanced malware might require manual removal steps to disable persistence mechanisms and reconfiguration of the system to its secure baseline. For assistance, check the website and support services for your antivirus software, but in general terms, manual removal and reconfiguration will require the following tools:

Use Task Manager to terminate suspicious processes.
Execute commands at a command prompt terminal, and/or manually remove registry items using regedit.
- Use msconfig to perform a safe boot or boot into Safe Mode, hopefully preventing any infected code from running at startup.
- Boot the computer using the product disc or recovery media, and use the Windows Preinstallation Environment (WinPE) to run commands from a clean command environment.
- Remove the disk from the infected system, and scan it from another system, taking care not to allow cross-infection.

Question 33

OS Reinstallation

Answer 33

Antivirus software will not necessarily be able to recover data from infected files. Also, if malware gains a persistent foothold on the computer, you might not be able to run antivirus software anyway and would have to perform a complete system restore. This involves reformatting the disk, reinstalling the OS and software (possibly from a system image snapshot backup), and restoring data files from a (clean) backup.

Question 34

Once a system has been cleaned, you need to take

Answer 34

the appropriate steps to prevent reinfection.

Question 35

Configure On-access Scanning

Answer 35

Almost all security software is now configured to scan on-access. On-access means that the A-V software intercepts an OS call to open a file and scans the file before allowing or preventing it from being opened. This reduces performance somewhat but is essential to maintaining effective protection against malware.

Question 36

Configure Scheduled Scans

Answer 36

All security software supports scheduled scans. These scans can impact performance, however, so it is best to run them when the computer is otherwise unused.

You also need to configure the security software to perform malware-pattern and antivirus-engine updates regularly.

Question 37

Re-enable System Restore and Services

Answer 37

If you disabled System Restore and automatic backups, you should re-enable them as part of the recommissioning process:

• Create a fresh restore point or system image and a clean data backup.
• Validate any other security-critical services and settings that might have been compromised by the malware.
• Verify DNS configuration—DNS spoofing allows attackers to direct victims away from the legitimate sites they were intending to visit and toward fake sites. As part of preventing reinfection, you should inspect and re-secure the DNS configuration.
• Re-enable software firewalls—If malware was able to run with administrative privileges, it may have made changes to the software (host) firewall configuration to facilitate connection with a C&C network. An unauthorized port could potentially facilitate reinfection of the machine. You should inspect the firewall policy to see if there are any unauthorized changes. Consider resetting the policy to the default.

As a final step, complete another antivirus scan; if the system is clean, then remove the quarantine and return it to service.

Question 38

Educate the End User

Answer 38

Another essential malware prevention follow-up action is effective user training. Untrained users represent a serious vulnerability because they are susceptible to social engineering and phishing attacks. Appropriate security-awareness training needs to be delivered to employees at all levels, including end users, technical staff, and executives. Some of the general topics that need to be covered include the following:

• Password and account-management best practices plus security features of PCs and mobile devices.
• Education about common social engineering and malware threats, including phishing, website exploits, and spam plus alerting methods for new threats.
• Secure use of software such as browsers and email clients plus appropriate use of Internet access, including social networking sites.
• Specific anti-phishing training to identify indicators of spoofed communications, such as unexpected communications, inconsistent sender and reply to addresses, disguised links and attachments, copied text and images, and social engineering techniques, such as exaggerated urgency or risk claims.

Continuing education programs ensure that the participants do not treat a single training course or certificate as a sort of final accomplishment. Skills and knowledge must be continually updated to cope with changing threat types.